Re: Symmetric encypher with private key decypher
Mikmorg wrote: I am looking for a way to use symmetric encryption on a day-to-day basis, using a key-file of some sort to decypher the file. I have decided that using my asymmetric private key in the following way was the best for this, using the following method: I think I sort of get what you are trying to do here: random key - encrypt data w/ random key | V encrypt key w/ public key ... which is actually what GPG does with bog-standard public key encryption! Or do you want something else? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: authenticate flag
Aaron J. Graves wrote: I have created a key that for some reason does not have the authenticate flag set. Is there a way I can somehow set this flag? Or do I have to start from scratch? Here's an example. From the key in question: pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC trust: ultimate validity: ultimate sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E And from another key that has the flag set: pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA trust: ultimate validity: ultimate sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E Notice the A in the usage section. How can I add that to my other key? Or if it's not necessary, would it be possible to ask why? As someone wiser than me said about a year and a half ago, a key with the authenticate flag could be used to eg. unlock your PC instead of using a username/password. To set the flag during key creation, use gpg --expert --gen-key: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (3) DSA (set your own capabilities) (5) RSA (sign only) (7) RSA (set your own capabilities) Your selection? Select (7) and toggle the A option. Adding it to an existing key requires a deep understanding of the OpenPGP spec (RFC 2440) and a hex editor; alternatively, you could add a subkey with this capability (gpg --expert --edit 0xkeyid, addkey, passphrase, 7, A, Q). HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Importing my keys fails
Michael Erskine wrote: On Wednesday 29 November 2006 21:33, Joseph Bruni wrote: An OpenSSH key is not an OpenPGP key. There are some efforts to use OpenPGP keys for SSH authentication, however. Can they be somehow integrated or will I always need two (or more) sets of keys? Are the keys used by OpenSSH in themselves somehow less secure or is there something in their nature that means they can never be used by OpenPGP? My limited understanding was that symetric keys were just a pair of fancy numbers! :) Since I can't be bothered explaining, here are some links that will do it for me: http://en.wikipedia.org/wiki/Public-key_cryptography http://www.gnupg.org/gph/en/manual.html http://sixdemonbag.org/cryptofaq.html -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Logo ballot reminder
Wouter van Heyst wrote: On Wed, Nov 29, 2006 at 01:21:20PM -0500, Andrew Myers wrote: snip I hope the election system has been working well for everyone otherwise. The system was fairly easy to use, the hardest part was deciding how the various entries ranked :) I saw something weird where moving entries around didn't preserve the order that you had put things in... I ended up writing out all the option numbers on scraps of paper and shuffling them around until they were in the order I wanted :) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two servers...one KeyPair
Joseph Oreste Bruni wrote: Your question is ambiguous. What are you trying to do? Use one key pair on two systems, or use two key pairs on two systems? If the former, simply copy the .gnupg directory to the second system. That advice is seriously flawed. You do *not* want to copy the random-seed file! -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two servers...one KeyPair
Henry Bremridge wrote: On Wed, Nov 29, 2006 at 08:20:06PM +1030, Alphax wrote: That advice is seriously flawed. You do *not* want to copy the random-seed file! Just out of interest: why? As someone a lot smarter than me pointed out in a message I can't find when I suggested just copy the .gnupg directory (and with a bit of background info thrown in, and I'm not a cryptographer and haven't really studied the GnuPG internals so I might be wrong): GPG is a hybrid cryptosystem; messages are (symmetrically) encrypted to random session keys, which are then (asymmetrically) encrypted to a number of recipient public keys. Part of the security of the system is that the session key is random or as close to it as possible; because GPG will work on many different and varying systems, there is no guarantee of a system-wide random data source, so you can't just read from /dev/random or /dev/urandom every time you want a bit of random data, because it might not exist (and these have their own problems). So, GPG has it's own internal pseudorandom number generator. In order to speed things up a bit, it normally has an internal seed of pooled random data - which it stores in .gnupg/random_seed while it's not using it. When GPG decides it wants some random data, it generates it using this file as the seed - so if you know what the random seed file was, it's (somewhat) easier to predict what the next lot of random data is going to be. So, you don't want two installations of GPG to have the same random_seed, because you're going to start producing deterministic output... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.0
Aldert Hazenberg wrote: On Nov 13, 2006, at 4:28 PM, Werner Koch wrote: A port to Windows might eventually be done but as of now I see no reason for it. Hi Werner, What is your reason for no windows port of 2.0 ? Is it a business reason ? Or ideological ? As I understand, technological: the structures used in GPG2 simply don't exist in W32-land. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to enable a block cipher or hash algorithm for a keypair?
Crest da Zoltral wrote: I searched any documentation i found on the net about how to edit keys, but I didn't found a way to enable a different cipher or digest? With `gpg --edit-key $key_id showpref` it's only possible to view the preferences and `gpg --edit-key $key_id pref` seems only to print the prefs in shorter harder to read form. So how can I enable Twofish and SHA-512 (without overriding the preferences with --cipher-algo and --digest-algo)? $ gpg --edit-key 0xDEADBEEF Secret key is available pub 2048R/0xDEADBEEF created: 2006-01-01 expires: never usage: SC trust: ultimate validity: ultimate sub 2048g/0xCAFEBABE created: 2006-01-01 expires: never usage: E [ultimate] (1). Person (comment) [EMAIL PROTECTED] Command setpref h8 h10 h3 h2 s4 s9 s10 s8 s7 z3 z2 z1 mdc no-ks-modify Set preference list to: Cipher: BLOWFISH, AES256, TWOFISH, AES192, AES, 3DES Digest: SHA256, SHA512, RIPEMD160, SHA1 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) You need a passphrase to unlock the secret key for user: Person (comment) [EMAIL PROTECTED] 2048-bit RSA key, ID 0xDEADBEEF, created 2006-01-01 Enter passphrase: Command quit Save changes? (y/N) y HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG and PGP Compatibility
Alphax wrote: re: setting the extension in Enigmail I've filed an RFE at http://bugzilla.mozdev.org/show_bug.cgi?id=15442. Well, apparantly it's already doable: You can set this with the following two preferences in about:config (or in Thunderbird via Preferences/Advanced/Config Editor): extensions.enigmail.inlineAttachExt extensions.enigmail.inlineSigAttachExt Hope that helps, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG and PGP Compatibility
Conan Purves wrote: Hello everybody, snip When I encode attachments, it gives them a .gpg suffix. My colleagues who are using PGP Desktop cannot decode those files. Though I can decode their files, either using the gpgee contextual menu or automatically through enigmail. Practically speaking, is there a solution for this? My colleagues are most likely going to want to continue using PGP Desktop. Although it's only freeware and not open source, GPGShell http://www.jumaros.de/rsoft/index.html will give you explorer and system tray integration, and let you use a .pgp extension. I've filed an RFE at http://bugzilla.mozdev.org/show_bug.cgi?id=15442. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Outlook Plug-In and Signatures
Ryan Malayter wrote: HTML + OpenPGP = FAIL. In English: HTML screws up OpenPGP. You don't want it. There are other reasons why you don't want HTML anyway but I won't go into them here. Actually, when I sign an HTML email with GPGOL, and send it to my Gmail account, I seem to get this on the receiving end: 1) A plain text version of the message, signed in-line. 2) An attachment of .HTML type, which contains the original unaltered HTML message. 3) A second attachment, which is seems to be an ASCII detached signature of the first attached HTML file. You just discovered the second reason why HTML email is evil: it sends everything TWICE. For people still on 33.6kb/s dialup that is a major inconvenience. Does any other OpenPGP client handle this attachment result? Or do you need to save the attachments and manually verify the detached signature? GPGOL itself doesn't seem to read this exploded format, even though it creates it. GPGOL only verifies the plain text version. PGP/MIME capable mail clients /may/ handle it, but you'd have to actually try it to be certain. Such a test should be conducted off-list in order to avoid flames for an HTML posting. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key problem
Johannes Schmid wrote: Hi! OK, I think I misunderstood something. Anyway, 'gpg --armor --export [EMAIL PROTECTED]' which should do the right the thing ends up with exactly the same error message. And it seems like I have no really good backup availible, the error is in all backups... What version of GPG/PGP did you create your key/backups with? Try using that version to recover your key. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Howto add ssh keys to .gnupg/sshcontrol?
Michael Bienia wrote: Hello, I'm having trouble to add my ssh key to a running gpg-agent (started with --enable-ssh-support). The comments in .gnupg/sshcontrol suggests you can do it with ssh-add or manually. When I try it with ssh-add I'm asked about my passphrase but afterwards ssh-add -l doesn't list it and it also doesn't show up in sshcontrol. The comment also mentions that one can add it manually by adding a keygrip of 40 hex digits. How do I get this keygrip from my ssh key to add it manually? I assume you mean fingerprint? ssh-keygen -l [-f input_keyfile] -l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Logo suggestions
Zach Himsel wrote: snip Also, one question. Should the icon be detailed enough to be big (like the gmail logo: http://mail.google.com/mail/help/images/logo1.gif)? Or should it be smaller and less detailed (for use as a program icon or small logo (like the small gmail logo, which is the m in the gmail logo by itself)? I was thinking do two versions, maybe have one big and one small (like the big Gmail/small m; or the abiword logo which has Abiword with the special A which can be used as a logo itself). Maybe have the gnu with the lock in a bigger logo (for the website, etc.) and then do a smaller, less detailed one with the gnu/lock geared more towards program icons (like 16x16 or 32x32 or 64x64). Good question. Here's something that came up on another list: Two days before the start of conference, in the organizers' office. person X is layouting the press kit, searching for highresolution versions of all project logos. The project Y logo was available only as small image. Scaled to print resolution, it was 10x12 mm which looked a bit small on an DIN A4 page. person Z had redrawn the project Y logo for a convention, unfortunately the file was lost on a broken hard disk. No problem, let's just take a digital camera, take a photo from the printout he still had, do a little bit of filtering in gimp... So we used a photo of a bitmap graphic and, at least for my part, are using it till today. Shall I tell you the story of the t-shirt producer, too, who wanted to print the project W logo as a serigraph? And all this because nobody thought - when the logos were chosen - that logos are not just for the upper left corner of website but are needed in suitable versions for print as well. So yes, logos should be available at high resolutions. One easy way to ensure this is to create them in vector form, eg. as an SVG file. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Create a key without subkey?
Eike Herzbach wrote: Hi, How do I generate an encryption key with gnupg? I tried some options but it always generates me a sign-only key with an encryption subkey. I need to receive encrypted financial data from a system that uses PGP5. When I send in my key to that system it outputs me the following: [PGP Ausgabeprotokoll] Adding keys: Key ring: '[EMAIL PROTECTED]' Type Bits KeyID CreatedExpiresAlgorithm Use pub 1024 0xAF7B19C4 2006-09-25 -- DSS Sign only sub 2048 0x508FA9D7 2006-09-25 -- Diffie-Hellman uid Eike Herzbach [EMAIL PROTECTED] Later when the system tries to send me an encrypted message it fails and says that it can't encrypt with a Sign-only key. (I guess it is not able to use the subkey and only sees the 'outer' key) Is there a way to fix this in GnuPG? Or do I have to get PGP5 to generate such a key? Questions, questions... What version of GPG are you using? What options did you try? What do you want this key to be able to do? What does GPG tell you about the key? You probably want gpg --expert --gen-key, select (7) RSA (set your own capabilities), and to set Sign, encrypt, certify. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: DSA2
Robert J. Hansen wrote: snip I don't know off the top of my head whether DSA supports firewalled hash functions or not. I believe that the last time I checked the spec, I came to the conclusion it did not. RSA signing keys, on the other hand, do support firewalling. Interesting. I'm looking at the official (November 1998) RFC 2440 and it's not immediately obvious that this is the case; although both the Version 3 and Version 4 signature packet formats say that the hash algorithm is part of the body of the packet, it says of RSA signatures: With RSA signatures, the hash value is encoded as described in PKCS-1 section 10.1.2, Data encoding, producing an ASN.1 value of type DigestInfo, and then padded using PKCS-1 block type 01 [RFC2313]. This requires inserting the hash value as an octet string into an ASN.1 structure. The object identifier for the type of hash being used is included in the structure. The hexadecimal representations for the currently defined hash algorithms are: snip Note that it's also not immediately obvious what the format of the signature packet used in a clearsigned message is... I haven't looked at the working draft of the RFC but hopefully it's a lot clearer than the published version. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg-users Digest, Vol 36, Issue 8
C Yohman wrote: Carlo's instructions worked. Thank you to everyone else. It works, except it failed one test. Is that test important? It's a known issue with building on MSYS. The problem/fix is as follows: If you get 'FAIL: conventional-mdc.test' during the check phase of the build the problem is caused by dd.exe from coreutils-bin v5.3.0 Sometimes the test passes sometimes fails. You will need the Cygwin version of dd.exe; you can get it from coreutils-5.2.1.bin.zip at http://tinyurl.com/jrjmw (Yahoo Groups). Mica has put up the relevant instructions and files at http://blueness.port5.com/gpgcvs/ based on the trial-and-error that a number of people went through to get native building on W32 to work. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP 6.5.8 - PGP 7.7.4 compatability with gpg 1.4.2
Vidas Makauskas wrote: Hi, I've been crypting files with gpg 1.2.2 on SUSE8.2 distribution. Partners use PGP 6.5.8 - PGP 7.7.4 for decrypting. I need transfer crypting to SuseEnterpriseServer10 with gpg 1.4.2 by default in distribution. Problem is, that partners can't decrypt my files now. Before encryption i export secret key from SUSE8.2: gpg --armor --export-secret-keys SECRET SECRET.ASC and import to SLES10. gpg --import SECRET.ASC gpg --import PARTNER.PKR - public key Our partners cant't decrypt my files now. PGP use DH/DSS 1024-4096 GPG use DSA and ElGamal 1024-2048 How can I check used key formats and change by default? How can I be sure what i use DSA and ElGamal 1024-2048 by default? There are compatibility options you can set in GPG via either the command line or ~/.gnupg/gpg.conf (-- is removed for config files): Use --pgp6 or --pgp7 depending on which version of PGP they are using. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help! Gnupg can't run in php program
Simon Ruderich wrote: snip Enigmail gave me gpg: unexpected armor: -BEGIN PGP SIGNED MESSAGE-\n gpg: invalid radix64 character 3A skipped snip gpg: CRC error; 31D9CE - A8932B gpg: [don't know]: invalid packet (ctb=1d) GPGShell validated your sig ok, as did copy/pasting onto the command line. Something funny going on with Apple Mail? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sig!3 entry vs sig! entry on certain GnuPG keys from the PuTTY software site
[EMAIL PROTECTED] wrote: The web site for the PuTTY software provides GnuPG keys to verify downloads of the PuTTY software. see http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html With these keys imported into the GnuPG public keyring, issuing gpg --check-sigs produced the following output (the user name has been redacted): snip For the self-signatures on the DSA-type keys (and only the DSA-type keys) there is a sig!3 entry instead of a sig! entry. The other signatures on the DSA-type keys just have a sig! entry. It has been said elsewhere that the 3 in the sig!3 entry indicates a certificate check level of 3. However, the 3 does not appear on the self-signature entries for the RSA-type keys. Is this to do with the key types (the DSA type and the RSA type), the way that the keys were created and/or signed, or some other reason? It's to do with the way the keys were signed at the time they were generated. There is a default certification level option that can be used either on the command line or in a config file - normally GnuPG will ask you for the certification level when you sign a key, but the default /can/ be used if the right options are set, and /will/ be used at the time of key generation. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]
Robert J. Hansen wrote: Janusz A. Urbanowicz wrote: You can't read a private key from the smartcard, but you can read it from the flashdrive. SC is a crypto processor + storage, flashdrive only storage. All of which is true. However, the bit to which I was replying was: A smartcard is very convenient as far as it's a multi application device, so you can store much other info apart from GnuPG keys, i.e. Mozilla passwords or such. ... And I'm still trying to figure out how that's different from a flash drive. Maybe there is a difference and I'm not seeing it. Or maybe there isn't one. I don't use a flash drive or a smartcard, for the following reasons: - Flash drives are too prone to failures at bizzare moments - Smartcards are largely experimental and don't have the instant usability of a USB stick (/me mutters something about The right tool for the right job...) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem retrieving encrypted email
1wing-angel wrote: I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail issue. I'm assuming it's Thunderbird's problem. I also don't know if I should post this to you guys or Thunderbird or Enigmail, but anyway I hope this is the right place. So far everything is working ok, BUT whenever I send a Signed and Encrypted email to myself, it goes through Gmail but I can't receive it with my Thunderbird email client. When I log onto my Gmail account, the signed and encrypted email is there in my inbox, but when I try to retrieve the message from my Thunderbird email client, it doesn't work. It doesn't give me any error messages or anything. snip I belive it's actually an issue with Gmail. Suppose you send an email (via Gmail's web interface or their SMTP server) to a mailing list. The mailing list will send a copy of the message back to you (if you've enabled it); however, Gmail recieves it and says Oh, you already sent that, I won't bother delivering it to you. I'm not sure if it ever appears in your inbox, but it won't be forwarded by any filters, and it probably won't be accessible via the POP3 interface either. I'm fairly certain that the behaviour is identical for sending an email to yourself. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG and 1024-bit (or multiple) subkeys
Werner Koch wrote: On Tue, 15 Aug 2006 21:09, Johan Wevers said: keys larger than 2048 bits but hacked versions exist that ganerate 16k keys). Is there such a limitation in gpg, or can I happily use a 128k RSA or El Gamal key with no other problems than them being very slow? The only limitations I am aware of are the amount of random you may get by one call and that the key as well as intermediate results need to fit into the allocated secure memory. I can verify this; the key generation size limit is currently set to 4096 bits, but can be increased to 8192 bits without too many problems. Someone reported that they were able to generate keys of 11296 bits (they are painfully slow to use), but for much more than that you get errors like |gpg: out of secure memory while allocating 5108 bytes |gpg: (this may be caused by too many secret keys used simultaneously |or due to excessive large key sizes) Now, although it can't generate keys that big, GPG can *use* a key of 16384 bits (presumably generated with one of Disastry's PGP 2.6.3 builds); again, operations involving such keys are painfully slow and not worth the effort. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Security of truncated hash functions
Qed wrote: Suppose you need a 160 bit digest. You can choose RIPEMD160/SHA1 or a truncated version of a bigger one (e.g.: SHA2 family). Which solution would be safer? Is a digest algo designed for a given length stronger than a truncated longer one? Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll assume that you're asking about using the DSA2 option to use truncated hashes with DSA keys that have q=160. Now, I could be completely wrong, but common sense seems to suggest that there's no reason why it's any safer; in fact, you may be worse off. The reasoning for this answer is as follows: since DSA OpenPGP keys don't have a hash function firewall, it just gives an attacker more oppurtunities to find a hash collision; instead of having to pick from SHA1 and RIPEMD160 as the hash algorithms to pick a colliding message digest from, they can now add the SHA2 family of algorithms to their choices; plus, instead of having to collide 160/160 bits, they now only have to collide 160/{224,256,384,512} bits. Again, I could be completely wrong, but that's what common sense seems to suggest. I googled, but I found only http://www.schneier.com/blog/archives/2005/10/nist_hash_works_3.html I know that sci.crypt would be a better place to ask this question, but I don't like it. You could also ask at PGP-Basics :) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
George Ross wrote: BTW, why are you encrypting these files anyway? If someone broke into your computer they could just steal the crypto key too. Excellent question! Truth be told, as soon as they are encrypted, they're being moved to another server in another location, and then are being burned to CD and moved to a safety deposit box. How about if you append a hash of the file to the file, and encrypt that too? Then have the remote machine do the trial decrypt-and-check-hash. If all is OK the remote machine can then tell the local one to delete the original; and if it's not OK, it can scream at you. Better than that, if you get GPG to sign the file when it encrypts it (using a passwordless key/subkey) and/or use the MDC option, you'll be able to do this more reliably... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
Benny Helms wrote: On Wed, 2006-07-12 at 15:13 -0400, Jeffrey F. Bloss wrote: Benny Helms wrote: snippage Don't know if this will help or not, but I just did a quick test with GnuPG 1.4.4 and the --dry-run command line switch seem to work fine. Outputs to stdout rather than writing a file to disk. I changed a single bit in an encrypted (armored) file and tried it, and got a CRC error without entering any pass phrase at all. That's with -vv set in my options file, FWIW. And bleeding edge hash/cypher algorithms. Additionally, you can enter a pass phrase on the command line with the --passphrase switch. I tested it with both known good and known bad encrypted files, and if you enter a bogus/incorrect pass phrase for a known good file you get a bad passphrase error. With a known bad encrypted file you get the same CRC error. Neither one requires any user input, which is what you want. IOW, if you... gpg -d --dry-run --passphrase boguspassphrase bad-file.asc You get the CRC error, but if you... gpg -d --dry-run --passphrase boguspassphrase good-file.asc You get the bad passphrase. The down side is, both are exit code '2', so you'd have to grep for the verbal response to tell the difference. But that's not a major hurdle and it should be trivial to if $? grep return codes into something useful. The other down side is this doesn't explicitly tell you if you have a *good* encrypted file, it only picks out a couple errors. To do that you'd have to either be sitting there entering pass phrases, or include them in your script. Probably not where you'd want to go with this. :( Thanks Jeffrey. Excellent suggestion. This worked well with a .asc file, but not with a .gpg file. Does anyone on the list have a preference for .asc vs .gpg output? Pros? Cons? The size is almost twice as big as a .gpg at this time, which is a definite con. But there are probably some serious pros as well. Input? .asc files are immune to mangling of CR/LF characters which may be present in binary data, which often happens when you transfer via email or FTP. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
Michael Kallas wrote: David Shaw schrieb: I've been away on vacation and only picked up this thread now. This statement is not correct. Back in the PGP 2.x days, this might have been true, but with OpenPGP, there is no particular requirement that the ability to sign and the ability to decrypt are connected. You can have a shared key with separate capabilities. Sending an signed key via encrypted mail does not ensure anything about the key owner. Why not? Sorry, this conclusion was too fast for me, could you please explain a little bit? Suppose you send an email to Address W and encrypt an authentication token to Key X. You recieve a reply from Address Y, containing the authentication token, which has been signed with Key Z. This tells you that /someone/ with access to W has recieved a message; /someone/ with access to X has decrypted it; /someone/ with access to Z has signed a reply; and /someone/ with access to Y has sent a reply. Keys X and Z may or may not be the same key or subkeys of the same primary key, addresses W and Y may or may not be the same, and Y may or may not have been faked (which is trivial). The owners of W, X, Y and Z could be four different people, or they might not be people at all; all you can really say about the key owner is that X is in contact with W and Z, and Z is in contact with X and Y. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyring Directory
Jeffrey F. Bloss wrote: Bob Henson wrote: Would someone kindly confirm the gpg.conf line for setting the keyring directory elsewhere than the standard one, please. As far as I can see, the --homedir command sets the directory for the executable files, but I'm not sure what to set to move the keyrings to another path to the standard (Win XP) path of ./application data/gnupg. Maybe it's an environment variable needs setting? snip Sorry for the out of sequence reply, just joined the list. :) I think what you want is actually a series of entries in your options file. This works under Linux with a thumb drive, maybe you can get it to work under Windows(?) by just changing the paths to the keyrings. # Begin - Set keyrings to flash drive no-default-keyring keyring /mnt/cruiser/.gnupg/pubring.gpg secret-keyring /mnt/cruiser/.gnupg/secring.gpg # End. Yes, that will work with gpg.conf on Windows too: # disable default pubring.gpg and secring.gpg no-default-keyring # # set the public keyring to use keyring c:\documents and settings\username\application data\gnupg\some-other-pubring.gpg # # set the keyring to import keys into primary-keyring c:\documents and settings\username\application data\gnupg\some-keyring-to-import-to.gpg # # set the secret keyring to use secret-keyring c:\documents and settings\username\application data\gnupg\some-other-secring.gpg # # set the trustdb to use trustdb-name c:\documents and settings\username\application data\gnupg\some-other-trustdb.gpg Note that on Windows paths are case insensitive, and unlike in the registry, backslashes do not need to be escaped and paths with spaces in them do not need to be quoted :) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyring Directory
Bob Henson wrote: Would someone kindly confirm the gpg.conf line for setting the keyring directory elsewhere than the standard one, please. As far as I can see, the --homedir command sets the directory for the executable files, but I'm not sure what to set to move the keyrings to another path to the standard (Win XP) path of ./application data/gnupg. Maybe it's an environment variable needs setting? From the manpage: --homedir directory Set the name of the home directory to directory If this option is not used it defaults to ~/.gnupg. It does not make sense to use this in a options file. This also overrides the environment variable $GNUPGHOME. However, the best fix on Windows is in the registry: [HKEY_CURRENT_USER\Software\GNU\GnuPG] HomeDir=C:\\Documents and Settings\\Username\\Application Data\\GnuPG OptFile=C:\\Documents and Settings\\Username\\Application Data\\GnuPG\\gpg.conf -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Interesting error message on import
On importing a large number of keys from a keyring backup, I saw the message gpg: assuming bad signature from key 0xE0BB4BCD due to an unknown critical bit about a dozen times. Can anyone explain what this means, whether this is the correct behaviour, and if I should be worried about it? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Moving to another computer
Robert J. Hansen wrote: Matthew West wrote: Hi, I have all of my gnupg information set up on this current machine. How would I transfer my information to another computer. Is it fine to use the same information on both computers? Copy ~/.gnupg/* to your other computer; specifically, trustdb.gpg, secring.gpg, pubring.gpg, gpg.conf. Please don't follow this advice. Copying your entire .gnupg/ directory will also copy random_seed. You don't want random_seed to be shared between two computers. That could potentially result in a session key not being a one-time thing. If two computers share a random seed file, the chances of their random sequences being not-at-all-random increases. By all means, copy *.gpg and gpg.conf. Leave random_seed alone. You'll be happier that way. *thunk* Yeah, I should have thought of that... that's what comes of posting just before lunch. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP to GnuPG
Ash M wrote: Hi, I am working on a project to convert PGP keys to GnuPG. Most of the keys created recently have successfully been migtated but I am unable to migrate the ones created using PGP Version: 4.0 Business Edition. The error I get is: ( gpg version 1.4.2 ) $ gpg --import pubkey.pub.asc gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 390CA571: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 Following is the output from pgp for the same key: $ pgp -kvv 0x390CA571 Looking for user ID 0x390CA571. Type bits keyID Date User ID RSA 1024 0x390CA571 2003/09/24 KKK one_e05 sig0xCC7AB923 MFF user [EMAIL PROTECTED] 1 matching key found. I have heard that there are compatibility issues between GnuPG and older versions of PGP but is there any way of getting around this ? Any help would be well appreciated. If you still have the secret key, you can have the key sign itself and then this error will not occur. Otherwise, you can use the option in GnuPG --allow-non-selfsigned-uid to import the key, and then have it sign itself. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: False Decrypt Error...
Eric Robinson wrote: Hello David, Thanks so much for responding... We have switched from PGP to GPG and we have some of our customers are still using PGP, ¨PGPÁÀNŠˆæ ° is the first part of the message. snip Ask your customers to make sure their messages are ASCII-armored - not sure how to set this with the PGP GUI versions, but for the command line version the manual says: To produce a ciphertext file in ASCII radix-64 format, just add the -a option when encrypting or signing a mes- sage or extracting a key: pgp -sea textfile her_userid pgp -kxa userid keyfile [keyring] HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP zip
Todd Zullinger wrote: Snoken wrote: Hi, I cannot find any gpg-zip-program after installing GnuPG 1.4.3 for Windows. The announce message tells: Added gpg-zip, a program to create encrypted archives that can interoperate with PGP Zip. On my linux system, gpg-zip is a shell script. I'm guessing that it's not installed on windows because there isn't an sh compatible shell there. Perhaps if you were using cygwin you could get it to work, but I don't know. Minimum requirement is MSYS http://www.mingw.org/msys.shtml, which is a small set of the Cygwin tools. Never used gpg-zip myself though. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGFiletool does not find all keys in my keychain
Pehr Jansson wrote: I am trying to use the GPGFiletool on Mac OS X to encrypt a file for a particular recipient. However, it does not show that person as being available. Other tools, e.g., GPG in the terminal window, or the GPG Mail plug in, have the recipient's key. Why does GPGFiletool not find it? Is the key trusted? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: set owner trust from a script
Nicolas Rachinsky wrote: Hallo, what is the best way to set the owner trust of a key from a script? I've actually played around with this... To do ownertrust stuff: gpg --list-keys --with-colons --with-fingerprint grep ^fpr The fingerprint format is: fpr:(fingerprint): The ownertrust format is: (fingerprint):(trust): where trust is: 0: (not settable) 1: expired (not sure what this means) 2: undefined 3: none 4: marginal 5: full 6: ultimate 128: disabled If you want to set all valid keys with unspecified trust to marginal trust: gpg --list-keys --with-colons --with-fingerprint `gpg --list-keys \ --with-colons | grep pub:f:.*:-: | sed -r -e \ 's/pub:f:[0-9]+:[0-9]+:([A-F0-9]+):.*/0x\1/'` | grep ^fpr: \ | sed -r -e 's/fpr:([0-9A-F]+):/\1:4:/' | gpg --import-ownertrust Note that this isn't entirely foolproof and may have unintended consequences - make backups of your keyring(s) and trustdb first. I've mainly used it semi-automatically where I check the status of some keys, run the script, and then re-check the status of the keys. HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg plaintext encryption?
eruistonuena wrote: I've been using gpg no for a while and I've always wondered why it says go ahead and type your message if you run gpg without any commands or options. does it encrypt text or something? It waits for you to give it some sort of data. For example, if you were to do (on Windows): $gpg gpg: Go ahead and type your message ... The quick brown fox jumps over the lazy dog. ^Z It replies: gpg: no valid OpenPGP data found. gpg: processing message failed: eof But if you do something like: $gpg gpg: Go ahead and type your message ... -BEGIN PGP MESSAGE- Version: GnuPG v1.4.4-svn4147:IDEA-TIGER192-DSA2 (MingW32) owNCWmg2MUFZJlNZMOjPVwAAGt+EQBJAAQUABAAEADCACCAAUMMjAmmBMhia MDGagAGRoNHpHhS4KdS4JwsGCri7t74sjMbZF0dHjGpIH+kEBMETOdUX5fxdyRTh QkDDoz1c =5OsL -END PGP MESSAGE- ^Z You get: The quick brown fox jumps over the lazy dog. HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg plaintext encryption?
Zach Himsel wrote: ok... i got ya. how would i get the encrypted text in the first place. because i know armored encryption can encrypt text files, but that wouldn't work, would it? how could you encrypt text directly? With something like: gpg -a -e -r 0x5B0358A2 -r 0xB1E06496 The quick brown fox jumps over the lazy dog. ^Z -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: tar file for version 1.4.3--- bad signature?
Charles Blair wrote: I am unable to verify the gpg 1.4.3 tar file. Can somebody tell me what I am doing wrong? I have downloaded the files: -rw-r--r-- 4354218 Apr 26 17:54 gnupg-1.4.3.tar.gz -rw-r--r-- 158 May 1 19:13 gnupg-1.4.3.tar.gz.sig When I tried gpg --verify gnupg-1.4.3.tar.gz.sig using version 1.4.1, I got: gpg: Signature made Mon 03 Apr 2006 05:42:26 AM CDT using RSA key ID 1CE0C630 gpg: BAD signature from Werner Koch (dist sig) [EMAIL PROTECTED] The key was downloaded from the MIT keyserver: pub 1024R/1CE0C630 2006-01-01 [expires: 2008-12-31] Key fingerprint = 7B96 D396 E647 1601 754B E4DB 53B6 20D0 1CE0 C630 uidWerner Koch (dist sig) [EMAIL PROTECTED] Try the .bz2 version - at my end it has checksums of: MD5 = D2 37 D8 FE 1C 4A FA 37 9F 56 DB DA 0E 0B 40 E4 SHA1 = 9E96 B36E 4F4D 1E8B C502 8C99 FAC6 7448 2CBD B370 RMD160 = F6D3 2878 5F41 B74F 97D2 5305 C6FE 95AD 45BB 70A5 Of course, you should check the detached sig for that one rather than trust me on it... :) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto-key-locate
Simon Josefsson wrote: Werner Koch [EMAIL PROTECTED] writes: * New auto-key-locate option that takes an ordered list of methods to locate a key if it is not available at encryption time (-r or --recipient). Possible methods include cert (use DNS CERT as per RFC2538bis, pka (use DNS PKA), ldap (consult the LDAP server for the domain in question), keyserver (use the currently defined keyserver), as well as arbitrary keyserver URIs that will be contacted for the key. I'm having trouble getting hkp keyservers to work with auto-key-locate. gpg do appear to retrieve the key successfully, but then it complains that it can't use it. Ideas? ~/.gnupg/gpg.conf contains: auto-key-locate x-hkp://subkeys.pgp.net [EMAIL PROTECTED]:~/src/gnupg$ gpg -a -e -r [EMAIL PROTECTED] gpg: searching for names from hkp server subkeys.pgp.net gpg: key 99242560: public key David M. Shaw [EMAIL PROTECTED] imported gpg: key 3CB3B415: public key David M. Shaw [EMAIL PROTECTED] imported gpg: key D46DCCC5: David M. Shaw (High Security) [EMAIL PROTECTED] not changed gpg: key DFF20E79: public key David M. Shaw [EMAIL PROTECTED] imported gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 4 signed: 21 trust: 0-, 0q, 0n, 0m, 0f, 4u gpg: depth: 1 valid: 21 signed: 43 trust: 1-, 0q, 0n, 1m, 19f, 0u gpg: depth: 2 valid: 29 signed: 223 trust: 24-, 0q, 0n, 0m, 5f, 0u gpg: depth: 3 valid: 24 signed: 158 trust: 24-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2006-07-10 gpg: Total number processed: 4 gpg: imported: 3 (RSA: 3) gpg: unchanged: 1 gpg: automatically retrieved [EMAIL PROTECTED]' via x-hkp://subkeys.pgp.net gpg: [EMAIL PROTECTED]: skipped: unusable public key gpg: [stdin]: encryption failed: unusable public key [EMAIL PROTECTED]:~/src/gnupg$ gpg -a -e -r [EMAIL PROTECTED] gpg: 1643B926: There is no assurance this key belongs to the named user pub 2048g/1643B926 2002-01-28 David M. Shaw [EMAIL PROTECTED] Primary key fingerprint: 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 Subkey fingerprint: F0EC 51D9 2ED0 C183 8977 DDD0 AE28 27D1 1643 B926 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) Have you tried it with trust-model always in your gpg.conf? The key you're trying to encyrpt to probably isn't within your trust path. Btw, DNS CERT retrieval work fine, see: Oh yes, congrats on RFC 4398. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Getting KMail to let me encrypt to an unsigned key?
Adam Funk wrote: On 2006-05-15, Ingo Klöcker [EMAIL PROTECTED] wrote: snip I'm running the Debian kmail 3.3.2-3 package and gpg 1.4.3 compiled from the source. As far as I can tell, it flatly refuses to let me encrypt a message to any key that doesn't have a signature chain back to a trusted key. I can see the usefulness of a warning about doing this, but I've accidentally sent a message unencrypted while trying to find a way around the problem. Is there any way to override this restriction? No, but there's a corresponding (and already very old) wish in KDE's bug=20 tracking system (bugs.kde.org). Would lsign-ing the key circumvent the problem? Yes. Would it cause any other problems? You will be asked to set an ownertrust value... It might be worth trying to find an actual trust path using Wotsap (http://www.lysator.liu.se/~jc/wotsap/) or similar as well as lsigning the key, but YMMV. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Retrieving keys via v3 fingerprint
David Shaw wrote: On Wed, May 03, 2006 at 01:45:15AM +0930, Alphax wrote: How does one get keys from a keyserver when only the v3 fingerprint is known? I recovered the fingerprints from a trustdb (they had appended), but I can't work out how to get them off a keyserver... You can't. It would require the keyserver to be able to retrieve by v3 fingerprint and none can. So, why does GPG store trustdb entries in this manner? I had a situation where my keyring died, but my trustdb was intact... is there no way to recover those keys? I still have the old keyring... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Retrieving keys via v3 fingerprint
How does one get keys from a keyserver when only the v3 fingerprint is known? I recovered the fingerprints from a trustdb (they had appended), but I can't work out how to get them off a keyserver... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: USB Drive Use
Sarixe Avaliesz wrote: John W. Moore III wrote: If you mean GPG then Yes there is. Check out GPG 2 GO on my Homepage: http://tinyurl.com/9ubue JOHN :-D Timestamp: Wednesday 26 Apr 2006, 18:54 --400 (Eastern Daylight Time) No, I mean GPA. I already have successfully installed GPG on my USB device. It's GPA (GNU Privacy Assistant). Actually, It doesn't need to be GPA, I'm just looking for a portable frontend to GPG that I can install on the USB device and use on multiple computers. One of these computers has the users configured in such a way that the privileges are very limited, thus I can't have anything with a registry value, etc. Any suggestions? For a multi-environment setup, the Java-based Occulti suite (http://sourceforge.net/projects/occulti) might be an option. Of course, it's still in beta, and I've never used it, and I have no idea if it would work on a USB device, but it's worth a try... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Clear all signatures on key?
Tech wrote: Hello, I'm trying to figure out how to remove all signatures from all my GPG keys. I've RTFM but I've missed something I'm afraid. Here is what I am seeing: 1. Type gpg --list-keys and I get a list of my keys. ([EMAIL PROTECTED] is a fake email address for the sake of this post...) 2. I type gpg --edit-key [EMAIL PROTECTED] I am now in edit mode Command list (I get my key information) Command uid 1 (I then select my key) Command Delsig Nothing deleted. Command Minimize User ID My Key etc etc: already clean. Command check uid My Key etc etc 1 user ID without valid self-signature detected Command quit 3. I type 'gpg --list-sigs and I get a list of keys thusly: C:\Documents and Settings\Administratorgpg --list-sigs h:/gnupg-keys\pubring.gpg - pub 1024D/ 2005-08-10 uid My Key (Email Encryption/Signing Key) [EMAIL PROTECTED] sub 4096g/ 2005-08-10 [expires: 2006-08-10] sig 2005-08-10 My Key (Email Encryption/Signing Key) [EMAIL PROTECTED] Question: What signature is listed there that is reported from my --list-sigs command? What have I missed? I would think I have no signatures installed on my key? The signature listed in on the subkey, not the UID; this signature binds the subkey to the primary. Note that by default GPG will not like the fact that a UID doesn't have a valid self-signature; a self-signature on a UID binds the UID to the key itself. If it were not for selfsigs ike this, it would be trivial for someone to inject their own UID (with your name, but a different email address) into their copy of your key and then upload it to eg. a keyserver. You should probably edit your key and re-sign it by using the sign command. HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: newbie: --edit-key problem
Michael D. Berger wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John W. Moore III Sent: Tuesday, April 18, 2006 7:30 PM To: GnuPG Users List Subject: Re: newbie: --edit-key problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This is also from the Manual and should help set your prefs in gpg.conf. - --personal-cipher-preferences string Set the list of personal cipher preferences to string, this list should be a string similar to the one printed by the command pref in the edit menu. This allows the user to factor in their own preferred algorithms when algorithms are chosen via recipient key preferences. The most highly ranked cipher in this list is also used for the --symmetric encryp- tion command. Remember, when placing Commands into gpg.conf the '--' prefix is omitted. JOHN ;) [...] --personal-cipher-preferences string did not seem to work either in the config file (without --) or in a command line. It was seen, however, since a misspelling resulted in a diagnostic. I ultimately was able to add blowfish to my preferences with: gpg --edit-key mdb00 setpref BLOWFISH followed by the things that were already there, no commas confirm that I really want to do it supply passphrase when asked ignore output suggesting passphrase was not seen -- it was It is noteworthy that the 3DES cipher cannot be removed by this procedure, while any other cypher can. I wonder why this is. The OpenPGP spec (RFC 2440) says that 3DES is *required* for a cipher algorithm; it is mandatory that programs complying to the RFC implement 3DES as a cipher algorithm, DSA and Elgamal for keys, and SHA-1 for a hash function. http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Feature_comparison sums it up pretty neatly. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto-key-locate pka (gpg version 1.4.3)
David Shaw wrote: On Sun, Apr 09, 2006 at 06:16:14PM -0400, John A. Martin wrote: ds == David Shaw Re: auto-key-locate pka (gpg version 1.4.3) Sat, 8 Apr 2006 20:11:48 -0400 ds This means that the build of GnuPG you has no DNS support (pka ds and cert require DNS support, and ldap and keyserver don't). Wouldn't it be nice if 'gpg --version' printed a list of the features available in the version supported and not-supported by the executable? That's a good idea. I'll look at doing that. Will that also include undocumented features like --enarmor? -- Alphax Message composed: 2006-04-10T15:19:27+09:30 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem decrypting large file.
Peter C. Chapin wrote: Hello! I've googled a bit on this problem but I have not so far found anything helpful. http://lists.gnupg.org/pipermail/gnupg-users/2005-September/026646.html http://lists.gnupg.org/pipermail/gnupg-users/2005-October/027259.html http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028073.html and their replies. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error: unusable public key
Daniel Carrera wrote: Hello, I'm having another problem, again not in the FAQ: sql.gz: encryption failed: unusable public key This happens when I try to encrypt a file with my public key. snip /path/to/.gnupg/pubring.gpg pub 1024D/42713DE9 2006-03-21 Daniel Carrera [EMAIL PROTECTED] sub 2048g/F2EB9C97 2006-03-21 I am trying to encrypt with the following command: $ gpg -a --homedir /path/to/.gnupg -r [EMAIL PROTECTED] --batch -o sql.asc -e sql.gz Note: The '-e sql.gz' is for testing. I'll replace this by a pipe later. When I run this command from a PHP script I get this error: gpg: F2EB9C97: There is no indication that this key really belongs to the owner gpg: sql.gz: encryption failed: unusable public key You haven't specified that the key is trusted in the local trustdb. You'll need to either remote login and: $ gpg --edit 0x42713DE9 Command trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 4 or add the option --trust-model always to your gpg exectution command, ie. $ gpg -a --homedir /path/to/.gnupg --trust-model always -r [EMAIL PROTECTED] --batch -o sql.asc -e sql.gz or add trust-model always to your .gnupg/gpg.conf file. HTH, -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem removing a public key whose private key is gone
Jeremiah Foster wrote: On Tue, 2006-03-07 at 19:35 -0500, Atom Smasher wrote: On Tue, 7 Mar 2006, Jeremiah Foster wrote: snip if you have any doubts about doing it right, or if you're having a bad day, backup the keyring before trying to delete anything from it. if no one else has a copy of the key, you're done. if the key is in circulation among key-servers (and if you don't have a revocation certificate) you're beat. The key is on key servers and I do not have a revocation cert. Would you elaborate on beat? Sore out of luck. People will keep using the key which is on the key server, and you will be unable to do anything except reply Sorry, I lost that secret key, can't decrypt, here is my new key. This is why it is *very* important to have both a backup of you secret keys a revovation certificate. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decription directly from texteditor
smiling molecule wrote: hallo together, i am searching for a texteditor whicht can directly safe enecripted files with gnupg or which can directly open and decrypt textfiles. is there any plugin for example for scite or so which can do this? Only if you can write a Lua extesion for it :) i dont want to decrypt files first and than open them. i want to do this in one step. If you're on W32 you can try GPGShell which has an edit clipboard function available from the tray. Otherwise KGPG etc. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Global Deb/XP keys from Deb partition ?
Adam Bogacki wrote: Hi, having seen a reverse example at http://lists.gnupg.org/pipermail/gnupg-users/2003-July/019421.html I attempted Tux:~# /usr/bin/gpg gpg: Go ahead and type your message ... gpg --armor --export mykey mykey.asc .. where it hung. Running gpg with no arguments assumes that you're either going to type something to sign/encrypt (followed by ^D) or paste a signed/encrypted blob which it will verify/decrypt. You need: # gpg --armor --export mykey mykey.asc HTH, -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
Walter Haidinger wrote: On Tue, 21 Feb 2006, David Shaw wrote: If GnuPG could also store secret keys (btw, can it? have never checked) It's theoretically possible, but no keyserver works that way. Probably not for HTTP keyservers, but for LDAP offering strong authentication and TLS/SSL? A remotely accessible, single storage of secret keys could be quite useful for some people. You wouldn't be required to carry the secret keyring with you on usbsticks or else anymore. When I think about it, probably a better use for LDAP capabilities than to store public keys... Perhaps something to add in the future? (feature request ;-) Isn't this what Kerberos was designed for? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: file encryption and integrity check
Francesco Turco wrote: snip i have disabled compression becouse files i have to encrypt are already compressed, and compression takes much more time then encryption. do you think it is a good choice? IIRC GnuPG will detect if data is compressed before it tries to compress it; if so, it won't try to. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
David Shaw wrote: On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: Host: sks.keyserver.penguin.de Command:SEARCH gpgkeys: HTTP URL is `http://sks.keyserver.penguin.de:11371/pks/lookup?op=indexoptions=mr search=Alphax' ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error That looks correct so far. I don't suppose you have an environment variable http_proxy set? Yes, but I thought that --no-options would disable it... also, I've tried using an options file without the proxy-enabling options... So that's the problem eh? Any way to get around it? Should I just move all http-proxy stuff to config files? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
David Shaw wrote: On Mon, Feb 20, 2006 at 01:52:40AM +1030, Alphax wrote: David Shaw wrote: That looks correct so far. I don't suppose you have an environment variable http_proxy set? Yes, but I thought that --no-options would disable it... also, I've tried using an options file without the proxy-enabling options... So that's the problem eh? Any way to get around it? Should I just move all http-proxy stuff to config files? If you set keyserver-option no-http-proxy, the proxy will be disabled, even if you have the environment variable set. Thanks, works like a charm. Added to my config file. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
David Shaw wrote: On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote: Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver handlers to function correctly. For example, using the following command: gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax I get the error: ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error Keep in mind 1.4.3rc1 is a development version and hasn't been released yet. gnupg-devel would be a more appropriate place. That said, please run with: --debug 1024 --keyserver-options keep-temp-files added to your command line, and post the results as well as the contents of your tempin.txt file (the location of the tempin.txt file may vary on different systems, but will be shown in the debug output). It looks like you're not talking to sks.keyserver.penguin.de at all. Well, I know it exists; the second time I ran it (using an older version of GPG) I *did* get results. 8- gpg --no-options --debug 1024 --keyserver-options keep-temp-files --keyserver sks.keyserver.penguin.de --search Alphax gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: DBG: expanding string C:\GnuPG\gpgkeys_hkp.exe -o %O %I gpg: DBG: args expanded to C:\GnuPG\gpgkeys_hkp.exe -o C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempout.txt C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt, use 1, keep 1 gpg: DBG: using temp file `C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt' gpg: searching for Alphax from hkp server sks.keyserver.penguin.de gpg: DBG: system() command is C:\GnuPG\gpgkeys_hkp.exe -o C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempout.txt C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error gpg: key Alphax not found on keyserver secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 8- Contents of tempin.txt: 8- # This is a GnuPG 1.4.3rc1: keyserver communications file VERSION 1 PROGRAM 1.4.3rc1: SCHEME hkp HOST sks.keyserver.penguin.de PATH / OPTION include-revoked OPTION include-subkeys OPTION try-dns-srv COMMAND SEARCH Alphax 8- Contents of tempout.txt: 8- VERSION 1 PROGRAM 1.4.3rc1: SEARCH Alphax BEGIN SEARCH Alphax FAILED 9 8- Thoughts? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard: addcardkey fails
Lionel Elie Mamane wrote: Hi, I'm trying to generate an authentication subkey (tied to my main OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / SSH use), but can't get it to work. gpg --edit-card and --card-status works like a charm. Command addcardkey gpg: detected reader `SCM SCR 335 (60600ad9) 00 00' Signature key : [none] Encryption key: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN PIN Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error snip Any clue? Thanks in advance. Is the secret part of the primary key available in your local keyring? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: There new XMPP (aka Jabber) room GnuPG-ru
Maxim Britov wrote: On Wed, 25 Jan 2006 18:21:07 +0100 Ismael Valladolid Torres wrote: Maxim Britov escribe: For use it, you should have XMPP / Jabber account and client with conference support. Clients is: tkabber, psi, gaim, iChat and many others. I suggest Gajim which is truly ellegant and available for Linux and Windows. I not used gajim yet. I prefer tkabber and psi at the moment. Tkabber can sign messages with gnupg. PSI/Tkabber can encrypt messages with gnupg. PSI also has signed presence. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using other compression algos with GnuPG
Roscoe wrote: On 1/21/06, Ryan Malayter [EMAIL PROTECTED] wrote: snip The RAR compression algorithm proprietary and closed source, so it is not likely to make it into any standards. RARlabs has refused for years to allow anyone else to make RAR encoders (although they exist in violation of the RARlabs license). See http://en.wikipedia.org/wiki/RAR A much better choice would be the LZMA algorithm from 7zip, which is open-source and unpatented. It compresses with similar efficiency and speed to RAR. In any case, though, such slow-but-compact algorithms are really only useful for archival purposes. While I have used PGP for some archiving, this is not the most common usage of PGP, and probably not an OpenPGP design goal. There are much faster file encryption tools than PGP out there. We actually use 7zip to compress and encrypt backups for offsite storage, as its AES implementation is so much more efficient than GnuPG's. LZMA seems to be notably[1] faster/better than BZIP2, which has made it into the standard so I wouldn't immediately rule out its suitability for OpenPGP. How well was LZMA known when BZIP2 made it in? Why was BZIP2 included when ZIP and ZLIB were already available? Does this preclude LZMA? I don't mind adding functionality so long as it is widely supported and will just work :) That said I don't much think it should be included. It could *replace* BZIP2 but replacing BZIP2 with LZMA would break backwards compatibility a bit, and adding it resulting in having both BZIP2 and LZMA seems a bit redundant when we've been getting along fine with just BZIP2. Don't forget that ZIP and ZLIB are also there... I regularly use a machine which has GPG 1.4.1 without BZIP2. Interestingingly enough bzip2 exists on the system... Back to on-topic-ness... I'd just use whatever compression scheme you want and pipe it into |gpg --compress-algo none. One tool one job :). Yes, this has the added advantage that your recipient has to be able to deal with whatever non-standard compression you choose. YMMV. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Providing shell-completions for gpg, minor scripting issues
Axel Liljencrantz wrote: Hello, I'm currently writing a set of gpg-specific completions for the fish shell (http://roo.no-ip.org/fish). These completions already feature all the switches for gpg, and a description of each switch, usually the first sentence of the manpage description. While doing this, I've run across an issue with scripting. Fish allows you to tab-complete sub-arguments to switches, so you can for instance write fish gpg --verify-options=show-photos,show-usTAB and the line will complete to fish gpg --verify-options=show-photos,show-user-notations I'd like to do this for the various switches that accept a crypto algorithm, unfortunatly I have some problems with getting a good listing of the algorithms supported by the users GPG implementation. Running 'gpg --version' prints them, but it does so in format that I'm not very happy with: gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Stödda algoritmer: öppen nyckel: RSA, RSA-E, RSA-S, ELG-E, DSA Chiffer: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Kontrollsumma: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Komprimering: Okomprimerad, ZIP, ZLIB, BZIP2 As you can see, the format is locale dependant. I'm also worried that changed phrasing, further algorithm subdivision, etc. will mean that my parsing rules will break. To get a locale independant format, I have to invoke GPG with a LC_ALL set to C. This doen't seem very optimal to me. Is there some other way of getting this information that I've missed? If not, could perhaps the --with-colons switch be made to act on --version as well, to get an more robust format? gpg --verbose --version gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2) HTH, -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are gpg signatures considered attachments?
Thorsten Haude wrote: Hi, * Chris wrote (2005-12-28 00:45): snip On the bad signature I see this when looking at the msg source: --nextPart5566026.XhGQNAZr0e Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On a good signature I see this: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline This is from a single mail, before and after it got munged by the mailing list software? If not, *are* the mails changed that way? In what way are they changed? I can answer this in part... quoted-printable equals-escapes things such as newlines and equals signs - which of course changes the message hash, invalidating the signature. Any mailing list software which changes message encoding is EVIL. Its even gotten so messed up that some have their signatures show bad when adding a sig to the bottom of the message, leaving it off shows the signature as valid. The opinion on the list is that something is definately out of whack in the list software configuration. So whack it over the head. These things can be changed. What software do they use? What does the list provider say? What does the creator of the mailing list say? Mailman seems to be okay with such things... generally adding a mailing list footer won't mangle PGP/MIME (I've never seen it mangle inline PGP), but once you add attachments the list footer will start breaking things. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
David Shaw wrote: On Thu, Nov 10, 2005 at 09:00:56PM +0100, Christoph Anton Mitterer wrote: snip btw: You remember my C-only thread (I'll answer you lastest posts soon),... I played around a bit and read some parts of rfc2440. Ok when I split a key using gpgsplit I get about the following: pubkey uid selfsig on uid (Sig type - Positive certification of a User ID and Public Key packet(0x13)) subkey selfsig on subkey (Sig type - Subkey Binding Signature(0x18)) Ok,.. the 0x18 signature ist the one that binds the sub to the primary. =so nobody can add his own subkey to my primary because he wouldn't be able to make a subkey binding sig, correct? Right. =but he is able do take my subkey and remove my 0x18 and add his one (that is where your back sig come into the game, correct?) Right. Is it correct that the primary has not directly a single self sig packet, but rather 0x13s are used therefor? If so,.. what is 0x1F (signature direct on key) used for? I thought this is used for primary selfsigs. No, 0x13 (or 0x10, 0x11, 0x12) are used to sign a user ID and primary key together. Historically, people call this signing a key, but it's really signing a user ID + key. 0x1F signatures are truly signing a key alone. So is a backsig of type 0x1F then?? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keytypes and changing them
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Christoph Anton Mitterer wrote: David Shaw wrote: So I think it would be better to have the following: primary: C, RSA-S, 4096 bit secondary: S, RSA-S, 4096 bit secondary: E, ElGamal, 4096 bit Ok... 1) Is it advisable at all? Yes. Many people do it this way, including myself. It's not actually an RSA-S key (that's deprecated), but a regular RSA key with the S flag set. However, you don't actually want to change the primary from CS to C. Why not? *g* Of course I could just don't use my primary key for signing plain data,.. but I think it would be better to indicate that with the flag, too. What would be the disadvantages? You could end up with conflicting copies of the same key for one... snip And again,.. is it posible to change the flag on an existing key? And how is it done? Via a selfsignature? If so, I could change the flag to C, indicating everybody that I'm using the primary key for signing-other-keys-only and if someone should insist on challenge-response I could use the --expert flag or store a local-only version of the key (e.g. in an seperate .gnupg dir) that contains the key with CS. Possible, yes, easy, definitely not. Think split the key into packets, read RFC2440, fiddle with its bits, turn the bits back into a key. 5) Would it change my primary key in such a way, that it renders the signatures that I've already received from other users invalid? No. This does not affect third-party signatures. Good,.. so I could change this as often as I'd like to, correct? I wouldn't advise it. Add a subkey. If you don't want your primary key to be accidentaly used for signing, backup your key, export the secret subkeys only, delete the secret part of the key, and import the secret subkeys. That way you can still sign and encrypt as normal but you won't be able to use the secret part of the primary key. MAKE SURE YOU BACKUP THE ORIGINAL! - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ3C3z7MAAH8MeUlWAQhUCgf+ND53aPMn+VqE/FXVA4L/CsDYtz9j7cQl bKZUid8hamWhTYbCIo5IT5kvOlLAS19VlBImT6XaSXOFJXnJt9TfpNHabI3YvKN+ GJSnGTDrnIISCK9pv8nL3+e5FomS+CMwiLR7LV7VDja4q+AXkxRzgNMDlKzYDn9R J0hCVvBPVKpGJK+7JuLo3FEWt3D+i3vxsq76zqmlXR2Tg2yWJPiqcUfR9aDme5e0 LLFlE0CpDdPspvKn+Ai93+OWt9jOAxT5hYY6E2+IgYrqT78AtakQ1Iu5UwoQ+Cqv OVWXzGwlHhg0FXapKO3P5kRXCvys+ZGoVKuzn6BTKPXNMkuxV2F8cA== =l690 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Sat, Nov 05, 2005 at 04:39:40PM +1030, Alphax wrote: David Shaw wrote: On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote: Salve! Can somebody explain me what is back signatures? Manual not very clear about this. It's a countermeasure against an attack against signing subkeys. Basically, the primary key signs all subkeys. With backsigs, the signing subkey also signs the primary key. Without this, an attacker can steal a signing subkey from someone else and try and pretend that a signature came from his own key. It's not a particularly good attack: the attacker can't issue signatures to prove his ownership. Will this remove the possibility of moving subkeys from one primary key to another / converting primary keys to subkeys (documented at http://atom.smasher.org/gpg/gpg-migrate.txt)? No, it's unrelated to that. It's a countermeasure against a (somewhat weak) attack. It has nothing to do with various bit twiddling you can do to your own key. So how /do/ they work (and how does one go about moving subkeys between keys)? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ29VrrMAAH8MeUlWAQiI1Af+IOP3LqxNddNc1tRxKo4BwNNm4MmiRQrC XnOkj+kpEzt7TnlvYhEWy4QUW/Kjv/7F0DvW/68lMNsSq+MV/dm89wFNiRpUV0e9 XR6qf6/jMkJEyafhT0fkfJoZBrNRhhgT6Gdgl6yvGZbK4JscMAi0CaWzVZOBryaL YNeaR+TKLhkleW6n4Q1nFodMeTZE7KgjzkyhcWvp3r6XB/mzQJ2R7EF+MD8C+P53 jmq9QQL0BAMq3F1Q6tunxHzdNknP9DUuS6pSWSVUUPZVkS/YCKX5LQFhE4txh4+E pC1v4IExoJD7Ec4hfRCIZ01S/W349uxpupL4zhPlpIXSuiwb9DXyfA== =lSYS -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Mon, Nov 07, 2005 at 11:55:02PM +1030, Alphax wrote: It's a countermeasure against an attack against signing subkeys. Basically, the primary key signs all subkeys. With backsigs, the signing subkey also signs the primary key. Without this, an attacker can steal a signing subkey from someone else and try and pretend that a signature came from his own key. It's not a particularly good attack: the attacker can't issue signatures to prove his ownership. Will this remove the possibility of moving subkeys from one primary key to another / converting primary keys to subkeys (documented at http://atom.smasher.org/gpg/gpg-migrate.txt)? No, it's unrelated to that. It's a countermeasure against a (somewhat weak) attack. It has nothing to do with various bit twiddling you can do to your own key. So how /do/ they work (and how does one go about moving subkeys between keys)? I'm afraid I don't understand what you're asking here. How backsigs work? 1. I have a cvs version of 1.4.3, how do I issue backsigs? 2. How can I move some subkeys from one key to another, where the key I want to move them too currently has NO subkeys? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ29uHbMAAH8MeUlWAQjqEQf5AWjO1MUTnnpXblSugyp5uosKygmpSfP/ DkV+ULPCEPVFnxCY1BoekpWvjC+ZhyRzhjnjx9S79Xa5H3is6QQjo2r8Uy1ho8ju MnVC5uascX4r5zQa7wHgZzCNjXwudd03ihBzh4De9+ZsP/QELbTKrPxFp5qhH7CE hUHPh8TnkCejMcNk897Xs9zyHXZoeGSj9mQFtyO3lyOMyhV9Oey4X7bEKEXbDmVG U5N/9c46QkQPuMGfOnJ7nxFBwq99n5OVKHGg4IcqsE/J5SIwKQCHmu0sTWCGdy8R OFvj8uRh5iNJsVSx6t0+R68DizLRVyB//lluzXBdSUpoQP09iKkvFA== =3oml -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to handle bad signers?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thomas Kuehne wrote: I've started to analyze the trust relations between the keys of various keysigning parties. The data below is generalization of several keys signing parties. the setting: * more than 20 potential participants * more than 15 attendees * 1-3 keys that signed every single key of all announced participants, even those that most likely never attended the party The interesting point is that those 1-3 keys haven't got a single signature from any of the other participants. snip 4) The owners are bad signers and didn't take part in the ID verification step of the signature process. snip How should 4) be dealt with? As far as I am aware the is no negative signature or any other way to mark those keys - except for local trust settings. Don't sign their keys? Tell them if you do get a chance to sign their keys, I am not going to sign your key because you do not understand the implications of the web of trust and make them revoke their signatures on all the keys they have signed without verifying them? If you are lucky, they will be level 1 signatures, so you can exclude them. If you are unlucky, they will be nonrevokable level 3 trust signatures 10 deep. Setting ownertrust to none in these cases is a good idea; at least then your WOT won't be contaminated by their signatures. However, I find it unlikely that they would even enter into your WOT to start with; if that is the case, you need not even worry about what their signatures are doing. Just set ownertrust to none and forget about it. Use the --always-trust option when encrypting (IIRC GPG will still warn you but will at least let you encrypt). There is of course possibilty 5) which appears to happen most often with PGP newbies (because it's TOO easy to use, and the instructions likely don't require any understanding): the possiblity that they should have made local signatures on the keys, but didn't, and PGP automagically refreshed their entire keyring, spreading these signatures into the wild. For an excellent example of this, check the PGP global directory key; there are many signatures which have been revoked due to accidental non-local signing, and many keys in the keyserver network have PGP GD sigs on them, again due to automagic refreshing (most likely through LDAP). I realise that this has turned into a bit of a screed, but it looks like the best policy is: Don't do stuff unless you know what you are doing! Don't use software that does stuff behind your back! Use Free software! - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2yew7MAAH8MeUlWAQgPwAf/SmSJeK+V8kdQOu77VWGwLBRHzGs2pb8R HY1GTlZiCKIqbUhAs3nz+9pTww5JlFV16N/8MQrF44VCrHDpytmPwsF+NcszfEeX 2/Iz2wQUjAqVepgmmxujqBIpcGMYPNrPk6yf+SByspOgVG6stFbBD3ZAMU41R36f GLn/Hq6+A91qV1tAD1C9giHhDxy1WzZr8rHHPf68Cah54/8ndFhJnm/5tFrsAGVR QG1og6ziaZzyexfAnCUhdxHaGkKry9UN58WGZGOKkth9Wdh/mTlduLezIR/Mff6r 4TQEWppp/LWg+mOnuik6OwsKuVHrxgZ4SUXUKtvtx3aa4oWrA4G4lw== =CZoN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Sat, Nov 05, 2005 at 04:32:07PM +1030, Alphax wrote: David Shaw wrote: On Sat, Nov 05, 2005 at 01:47:08PM +1030, Alphax wrote: David Shaw wrote: snip I should add that this is a new feature for 1.4.3. Has 1.4.3 been officially released yet? Not yet, no. How unofficial is it? It's as official as any release that hasn't happened yet: that is to say, we're happy and thrilled if you test it out and report bugs (to gnupg-devel), but you'll have to compile it from the SVN repository, and it's not considered stable code. Considering that 1.4.2 won't compile on my system, that could be a problem. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2y04rMAAH8MeUlWAQh/yggApuqFc1sRkU6w6+whqE7GH3EooQIrp5On 8mIt1AeafrdFsEVRFALH+cc0Nvrna+KTPcze+mVQQM6lv5MRb3v+2GXpI8kqYIWL CrpAfFUJH9UftBhw84ytcZn20gKg8Mw9Q1RZCcwj6sBtF9JIX4xAfgRvv972b7FH fakqfbQ6hzkUciZUQmMWIBiHYcDZclAqmukD6iragtpYrK13vemCFO+hDViqbAb+ HXQQ+oL1kJk8BcXvuA1a/CNH9W3OLl2M+5pl4mnYP7ZqEKjQJ+gr1mBRmwvvwS5/ 1M1trBgyTrycnL0Q0D/zoW7QJEY4AHrI4ImrChqjDm0ZgVEcENJRWw== =CpjA -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to handle bad signers?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Sat, Nov 05, 2005 at 12:30:46PM +0100, Thomas Kuehne wrote: snip How should 4) be dealt with? As far as I am aware the is no negative signature or any other way to mark those keys - except for local trust settings. That is correct. It really has to be this way, for good and for bad. Trust is inherently subjective - even the 1-2-3 trust levels are just guidelines and there is no way to enforce them beyond asking people nicely not to abuse the system. Of course, it would be possible to propose a different trust model that takes into account such things (a reputation system), but that would be a reasonably different beast than the current system. Not impossible, but it would take some working out of details. OpenPGP currently has no way to make a negative signature. If it did, there would be a corresponding Web of Antitrust. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2zEJ7MAAH8MeUlWAQhmzQgAooOGpX2p31Bgoc8F4egWzFgHCS2pWO+z Bsl8YgnGdjzT7Q0GVOsP55LjPPKRSBh1+yIDrWYIqWyuLp1a74ZQTw5u8NDDtPj9 NhHSwa6kB+sQksaT3U5I4AZL7uygh79CI7AtGj/TOafoal+IKYXzVmA/DPGCVMkJ ovhv1NzfXnyRR6UGmviBrket9gaWNOST65o75NrCQww2UelH31xNPweLXclRxWkf aLs8wuNzO375MrtQkRtIFv0CDSysd4HMgByXC/p1QZdiv6o0rqKOq0heCTSPIr1Q qMqfQY9y4aWHiifHvJeYllo04V8/b7yULSj6U8h2TUpjf9gZqmNuUQ== =pM1Y -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Sun, Nov 06, 2005 at 12:04:27AM +1030, Alphax wrote: It's as official as any release that hasn't happened yet: that is to say, we're happy and thrilled if you test it out and report bugs (to gnupg-devel), but you'll have to compile it from the SVN repository, and it's not considered stable code. Considering that 1.4.2 won't compile on my system, that could be a problem. So... report the bug? We're not terribly good mind readers here. Nah, it's my system. MSYS is not a runtime according to all sane documentation. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2zGrbMAAH8MeUlWAQj7TggAsKkG5TNPuQWMuPerEf+CE9j7w/RmRBMY MxCc3V5Kh0+HHcZT7yhP2ZmVwyFOEDH3qO2YKL1ouMEkm+KMHB3pQArb0Wjjlnkn b574a5P/jzcvz/Fp75VurOPnrz/i3o2DzhKXURxSMQFVrsYrfL2TIb98KBUVGs+0 rbzvNjCZQ3cqVtu2moYRJnou7w5PVZUdWTH16NmuKSjVIt4mMnH+vG2yDud2lxkV f31vlzD2K+Fgal8wkzVTNCtBQoZUEC2fB+7iXbwcTSwj6xjGReCih22lvyiB5qFU lYzjYx2YCCCDbMoMYgMqVcBQy13N6PlJgYGad7RD2nwlYHQLKYLbBQ== =efte -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Fri, Nov 04, 2005 at 02:24:09PM -0500, David Shaw wrote: On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote: Salve! Can somebody explain me what is back signatures? Manual not very clear about this. It's a countermeasure against an attack against signing subkeys. Basically, the primary key signs all subkeys. With backsigs, the signing subkey also signs the primary key. Without this, an attacker can steal a signing subkey from someone else and try and pretend that a signature came from his own key. It's not a particularly good attack: the attacker can't issue signatures to prove his ownership. I should add that this is a new feature for 1.4.3. Has 1.4.3 been officially released yet? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2wkM7MAAH8MeUlWAQh2hAf9Fr3wbnvSaNFprkxJ/aSv2Fw9IQqqDF87 kbfSfA6tjPdzh6P6pIUCb3Fjy/or1s0BLwTM9snTmhjK6eggT9a2JB/L7jMdjkTf 47q5ZM79Oi8NSUkOCJT/9fEe0X+4lzPfXrjHLwfeFJ50NJxvBupPtzzzjElhlBfC oilO8eMzpT9FNgWaBJZIiOTANLRPgeN8NZS+AE4KKx/cSQZnCeoIrkVOxD7/HElm 6bfxZIsUFKDXMdOfJQJAhX+iBUtMjmU06/UDZlRV3unH8W8YDU4z6TlkCfwRihPj h4LzeRB+ZjrLSy6zd6U5zsANqzURTkGq7EiIPgZp/ulaDD9vBWDj1g== =g8ka -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Sat, Nov 05, 2005 at 01:47:08PM +1030, Alphax wrote: David Shaw wrote: On Fri, Nov 04, 2005 at 02:24:09PM -0500, David Shaw wrote: On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote: Salve! Can somebody explain me what is back signatures? Manual not very clear about this. It's a countermeasure against an attack against signing subkeys. Basically, the primary key signs all subkeys. With backsigs, the signing subkey also signs the primary key. Without this, an attacker can steal a signing subkey from someone else and try and pretend that a signature came from his own key. It's not a particularly good attack: the attacker can't issue signatures to prove his ownership. I should add that this is a new feature for 1.4.3. Has 1.4.3 been officially released yet? Not yet, no. How unofficial is it? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2xK3rMAAH8MeUlWAQgdbgf+N3WnnAPF/+AJgnssdjrhbb/JrCvlacU7 FBfVq/lTZt++rt28EgeT0sGIsVT+p9DyyoetY06wxsuJhGQn1a4RwFAKwlIsBDgS IppX+lOcf2zuN7W6x4Xzq+wFKKNHwkSrUYFQdK/0oI6vZx6E45m5o9+9USONu248 hOMP5tUvgnQ8DStN/czOkke+Fig5/Gm7Lb8IJ8CqAF+3JPxthPmLt4lQDEcm3M17 Bm8VF48pHo6fozLghSDxPB2mJtGawgp9BaBwAghZJysFXf/E+Jm2TE2xw9vXpvDw hfLQbl/OK+BuZlMocMkl6Ml9Bm6SEN1LsoiLkMHIJyN25B7JWJ75tA== =faWd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: back signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote: Salve! Can somebody explain me what is back signatures? Manual not very clear about this. It's a countermeasure against an attack against signing subkeys. Basically, the primary key signs all subkeys. With backsigs, the signing subkey also signs the primary key. Without this, an attacker can steal a signing subkey from someone else and try and pretend that a signature came from his own key. It's not a particularly good attack: the attacker can't issue signatures to prove his ownership. Will this remove the possibility of moving subkeys from one primary key to another / converting primary keys to subkeys (documented at http://atom.smasher.org/gpg/gpg-migrate.txt)? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2xMo7MAAH8MeUlWAQjH6gf+KmeEkA1TrqYANLl6jWyCvVslMukZcDeI yHFLgPT3tJY/dY+AU4mRsgcim3sd3alJan8Qz1mecEbxHHffXJCSbowagnUotx19 AP6ku/KFSC/yjF2dvttoDmmnSxWSzL9F0EoJI5O2o/xNXVaSjbR1wj+zq6Z7m84I 6R0QQguSDHmccPAtLmtdIereGuU8ai4seQI97JLD78eVM0gibR220WaTe482Bh3P i+yNx6fMMjlGb/VB1AWTyK5b04SguGZQtKP4QQzxiAsfNvYYeRWlVuGwThrHTodd +A30HeVql/PRkEo3ITtT8BQ6nelRikm+SDTo0Z3YCxLT7uRGzmeR7Q== =Omcs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Batch setting ownertrust
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alphax wrote: I know this is probably a bad idea, but I want to do it anyway... Is there anyway to set ownertrust on a key in batch mode? If there isn't, how can I generate an ownertrust file and import it? Alternatively, where can I find the specs on ownertrust files in the source code? Never mind, I worked it out... - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2najbMAAH8MeUlWAQjdyggAjN/9nKfmpk+lserH8Rm6sQIRsOX+baCf 8Gj6TEQBf1z4AfuCbUsgAfgI54FBEUda1lE6HDdXqjXDrhuXetpgqQLSk0suXSvT GtbZ1KO4daGTr08lxoUhxBou8pDBG1UKVi5fpNLl3Jyw9kpce7cmLWvuKbbAEO51 hk4DMQcIjreQ4/T4wdh1i+fzbkC0qJCEihjKZ41EFCHvindOiE2mxBhlRZ+swDYn AhiT7SBoEXd4c8jZTehLKCrGOUryQwPCPvyJ72ljO7NZiwOzKbnpnprYN/JXg5S8 TeGu32r8r/NM+TgA64XX/GugEpr46/9aWaUDuBpy3SFzeyKNT3zbMg== =qR5k -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Feature request: expand 'clean' to 'clean total'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dirk Traulsen wrote: Am 29 Oct 2005 um 2:25 hat Henry Hertz Hobbit geschrieben: On 27 Oct 2005 Dirk Traulsen wrote: snip So here is my feature request: Please make an option to delete signatures, for which there is no corresponding signing key on the local keyring. snip I hope I am misunderstanding this. I think I am. I have a little bit of a problem with this. First, I am NOT part of the WOT and never will be (look at my name and you will see why). Second, I have precious few public keys on my key ring, and Werner is one of them. You should all of those pretty [User ID not found] after all of those sigs. Thank goodness I am NOT part of the WOT. If I was (part of the WOT) and cleaned out all of those signatures on his key, signed it, and uploaded it to one of the keyservers so it reflected he had another signee, what would happen to the ones that were cleaned out? I am sure that most if not all of them are legitimate signatures. Like I said, I am pretty sure I am misunderstanding what you are doing. Yes, you do! This does not effect the keys on the keyservers! The keyservers always only add or merge the keys they are sent. This means, if there is already a key with that ID, they take the sent key apart and add the new parts (if there are any). 'clean total' would have absolutely no effect on the keyservers or the WoT. The proposal is about all those [User ID not found] in the keys in your LOCAL keyring. My proposal would only have an effect on the keyringsize on your storage media. Even in my really small keyring, there are several thousand of unused signatures. Can you imaging the effect on local keyrings with hundreds of keys? Because you don't have the corresponding signing key in your local keyring, gpg cannot verify them, so these signatures are not useful for you. (With the exception, that you have a visual hint that there are more signatures on the keyservers.) I have a keyring with 1600 keys on it which has a physical size of almost 30MB. I would appreciate this feature very much. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2R1fbMAAH8MeUlWAQh57Qf+Oo50sxbj/lqTXbEW2BjuIsTyluRUpp3k xNlH9NVELW4cStE3nKowbGkG29KytYotaERGzi3hn0O6l2ZyXnaiPmfEaT0ZIA9v xC2XUfCrgueSXrTufB8oDtj2YS8qrWvwkOcgkdPJQTaK+yorpWtwJOHVkHN1V+E1 xwGnTzJC5HQa86CF8PsHAAmtnPsEe/q0tRsSel6/RzGCUhfBR7sOC4oTgRtypgn9 6eeVUBolrZe+bP/s9FR6YrxPo5T7Up/bVQkna6fglclWYAa+q07enw79jli4/20U ghzMgcd5rIwPm0xg8tkqw41h/YYPZTqcj66UE+y0v6DjnNr2etnq4g== =rkns -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signature packets without (whatever)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Tue, Oct 25, 2005 at 11:53:51PM +0930, Alphax wrote: Recently, when checking my trustb I get the following appearing: gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without timestamp gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket Now, I figured that cleaning the keys would probably fix this, but the question is: how do I find the offending keys? Given that one of the errors is a signature packet without a keyid... it's hard to locate the signature :) You could do trickery with gpgsplit and such, but I'd wait until 1.4.3 is out. It doesn't error on such signatures any longer. Um... *bump* on 1.4.3, I just discovered that this (like all error messages) is killing Enigmail. Any way of finding the offending keys and cleaning them manually? Oh yeah, clean total would be good for fixing this too... - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2W6X7MAAH8MeUlWAQheeAgAlii/xIcQmw2B1km/1b/mSWBlRaoojBoZ HbEF0K21YHr/WcPS4WfLZmgG6JlVEr8on+ksQsxbRabWGfRfBbx4rRIyLgYJAZZ6 m2gAQ5iIAm+0dnDHYt4xPxfN6KAAuYveh64cMad6ebISwucrzq3ivsS/fgzKbEUK 3VyK8X0a2XecGn2iXL7uht1/RsoYgUF+fTq8Lt1iSmiVLb16chm62ZuxLK6TQDnb SnX9wTaz/lavu8BBFRXa6mqyvSgqTz5FkCA48FOyHVDzA9JOSjKHFwVu1AfVRb56 e04BmoKXJgG1LzbGFLE9LlOm0YWIpRGu3NF5OPKQXvAjRssaW3V0IQ== =lj5X -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signature packets without (whatever)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw wrote: On Wed, Oct 26, 2005 at 12:08:55AM +0930, Alphax wrote: David Shaw wrote: On Tue, Oct 25, 2005 at 11:53:51PM +0930, Alphax wrote: Recently, when checking my trustb I get the following appearing: gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without timestamp gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket Now, I figured that cleaning the keys would probably fix this, but the question is: how do I find the offending keys? Given that one of the errors is a signature packet without a keyid... it's hard to locate the signature :) You could do trickery with gpgsplit and such, but I'd wait until 1.4.3 is out. It doesn't error on such signatures any longer. It's not dying, just warning me... however, I think they might be responsible for my trustb becoming corrupt last week. Will 1.4.3 automatically remove such signatures or merely ignore them? I doubt this is involved in any trustdb problems. All versions of GPG ignore such signatures. 1.4.3 just ignores them quietly. Is there a way to actually GET RID OF THEM? I tried batch-cleaning my entire keyring but it didn't help. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2NH97MAAH8MeUlWAQi5Pwf/dTeEdRTVIisZa+b3UyyKSci7nW652bh9 zMxH63351zL5gvD31RgU4ShWOQWMfIra/tbJarIhce2M2vFFZ8l5AKRHciBJ3/gg 2Ian5NHsiyeLYcUaJ1xWDy1MD5sLcdDZYnQJurFu0mOW/58UXbi3EgeC0NvgT02W Sbagx+33mof89dhPUHZiQW0wpcVY1TGXuW6+0e+JwFXzwfstuaLMAB7rmi5V8GxX wpVM0wulhH93o04S8WjxsCh8UYrjWU3veY+XTC2mulpFVccQHaZxmo7mXvzgg0d5 IeG0RIh/ihmB+DMreefTj4sVUW7jShK047qiLgvRa8ki0GMdsFtXnw== =rYRK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: allowed commands on keys that keyservers handle correctly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Realos wrote: If I like to remove my signature from a certain key and/or uid, what is the best approach to that? Does it make sense to revoke the signature or just delete it? I find both of these commands in gpg software but am unclear what to use. You need to revoke the signature once you have lost full control over the public key (i.e. uploaded it to a keyserver). Deleting a signature/uid or key makes only sense if you can replace all copies with the updated one. Replacing an old key with updated one seems to be possible with biglumber and such other servers. Such servers have the disadvatage of not syncing with other public servers and only allowing one public key per email address. Are there any other drawbacks of Biglumber? Biglumber *does* (AFAIK) allow multiple keys per email address. That's one of the reasons it's better than the GD. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2CxwbMAAH8MeUlWAQi5sggAqE32MzcjtcvqEIJ83m1rQ2D39C9krvg3 PyCx0KRJ1T31GvV1rVVKRbHozEw5aCHR7BgtJflDugCR3rfe079wXrB5Tui1erzQ esg6kr1UBTsfwxgUArfHXBc/4hnevO/AsKZtwI5VuM/epUnW0nrHPbQC5VP6nMQ5 j4YW4Of4w7IatjU5OUognJgbVUwIYj76SswnCyrhW42re6xq/Ak1kwqD6L5LoKM/ JftWVBfu85ypRIaKAWX+Bqu9l3r1OE4i7JfAoAwHb7ZhSNVXoFEiYcOferUA8iA/ S6rPrpVyTaj4bAQFpFMKpCgog7BcWqer4YyzNEnKwPnMXjqLMO5PLw== =h9bI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lots of questions
order should be the following (from the best to the worst): a) SHA512 b) SHA384 c) SHA256 d) RIPEMD160 (no sure if SHA-1 should be before this because of that chinese team that found collisions and so on) e) SHA1 f) MD5 Correct? SHA384 is /useless/. It's just a truncuated version of SHA512. In my mind (and remember, I'm just some guy answering your email), it's a security risk. RIPEMD160 is currently the best choice for a 160-bit hash algorithm, provided you use an RSA key. SHA1 is not completely broken *yet*, but it's a lot less secure than it was before Februrary. MD5 is completly and utter broken, in real time. 3) Compression algorithms GnuPG supports: Uncompressed, ZIP, ZLIB, BZIP2 I think the best preference order should be the following (from the best to the worst): a) BZIP2 (I don't bother if there are Windows users or so that can't support bzip2 *g* ) b) ZLIB c) ZIP d) Uncompressed Correct? Since you don't care about Windows users, bzip2 is fine. GPG is pretty good though; I use Windows and don't have any problems with bzip2. IV) How to create my new key the best way? Ok these days the Systems is in Munich and there's the c't Magazine that signs keys and so on :-D So I'd like to make a new key asap and have it signed,.. ;-) Join a Linux User's Group, put your key on Biglumber, and attend keysignings. Ok,.. now I wonder how I should do this the best and cleanest way. I suppose my assumtions above are correct and RSA-R/ElGamal would be the best and that the algorithm preference is also the best, if one could say so... RSA-S/ElGamal-E with your prefs should be OK; prefs can always be changed. And I suppose that the default random settings in Linux (normally I use debian, but I think I'll boot from a Knoppix CD to create the key,.. hope the include the latest version of GnuPG) are already the best, correct? Set your s2k-* options as strong as you can and use the best RNG you can. My ~/.gnupg looks: snip A lot fuller than mine :) snip Can I change that sig-policy-url, cert-policy-url, set-policy-url and sig-keyserver-url later without loosing signatures on the UID? These are settings in gpg.conf and are only applied when making signatures. Ok,.. later I'm going to play with Smartcards, too :-) Keep in mind that you will be called on to help debug new them if you get one :) - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2Cw0LMAAH8MeUlWAQh8MggAiYkxFPaB+y75tXWI52nvCYgKI1C9bYgV nPyiOPjTl32Hywa4f1C2KmZ/bTLr7FWTN7kcZdu7Ws/ZrmgqRkL7/vPpLNNi6+K3 jNDsMeM7+m7IlYKf7VQeuJiqhGCT9guvSKLBcC648joayUxJjUHIU/G1oYaQhWTC cpzVJsmFOhli2pUxAv6G4/01jcqmdDeJv0yfvpUHMrWLctpQv/kPcR7UyI7QVT1T n9HFE2FBBqz63c4uDkJZGodNlgRjk7bZWL5dI3cjCrinHutoNTkfN8lzWhdNtVyJ 0K5zMVukB44nHodCiSVWdNk1h9nhvi71q1VbDMubb0+r7wxlDNfDBA== =EzW3 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ECC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Topas wrote: Hi. When are we going to have ECC support in GnuPG? Is it in OpenPGP yet? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2CxIbMAAH8MeUlWAQhNDQf/R4GFn6bEX6DSMPqY2AOFWhp7mIzJDFvz IctXHWjLyw22L7m/0s+1h6eIowP9l6FvW5wU9V/377NkRWGALhhWgWS3jpydqhfX NggbYqIZ8xp5/1hNjvpi1JJUp1WEOYRx5CBN7kBXtRB51+P/ms9DbgCtazBen8pO l5zIC54+/ffUlwbwBE6cOybI0Dz65tnCtbes+4KjURBdXl6m5Xcwu9yQy2Phkb6v gWL3jKAxcYeYtwWZMdHPJXaHZIe9IONMVgBtvvWxUspNP1CJ2yQioZJDPM/mX5jV r0wArNDI6VSBFkaBACby9YDFPiT/R7vqdAJiHQXaymKidSmSUrTRlw== =S6ns -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Signature packets without (whatever)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Recently, when checking my trustb I get the following appearing: gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without timestamp gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket Now, I figured that cleaning the keys would probably fix this, but the question is: how do I find the offending keys? Or should I just batch-clean the lot? - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ14/9rMAAH8MeUlWAQgsPQf/RtAXvT6o2PDGO/SvmrNHAol3WFAC1+KH fSx/EfxCzglJU3oAjX0Q4XOx4we/JfFUm5+jp8S4A4u5cJXwa94clCTr8pENmKrz NX272+FfxvvRd9OhkCocdvKJ5ESiAhfG/VghjSh8vKidzCRQ/FM7N0yucvE/SeO4 MuCi8RJO7A+OG7HPs2Mz0MOlvmPAGqyMCgJm/Ff7E+tvhFVZGfr2iSHHN38bmmVC +ULD4RrRhLtdv8rnGO4eL7q0X4wZYi5ohYi6vm+TtBPAYk+D3esqULEZiuQlrjcn Wl2xAfe6rd0h79u+qoCtEmQJ/ld8BSKI8uUJRR2PZVkIpqg6FWlc+Q== =PU3W -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: security measures?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John W. Moore III wrote: Mica Mijatovic wrote: 2. frequency of changing passphrases - in a user who accesses emails via net cafes (think keyloggers) Also good idea. Let's say after each use via net cafes, as soon as possible. Well, would be ideally. However, keep in mind this: If a keylogger/spyware ensnares one's Key operable passphrase, then merely changing the passphrase once you get home will not eliminate the intruder from now having a matching combination for later use. The best/paranoid practice would be to have a Key used only on one's portable/Public PC device coupled with a codeword for each correspondent to be inserted within each missive to confirm authenticity. Create a seperate signing and encryption subkeys and export them, disabling the secret part of the primary key when you do so. A good tutorial on this is available at http://fortytwo.ch/gpg/subkeys - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ1HEarMAAH8MeUlWAQgTVgf8CLHColEuJSIq+iweje1t/P1josJ5QoaK fUgTAZkN/mTgNnHiiiRHqxwjU+eKvpwZyuyFntgkE3K0a2IpED+vuXZJ12BOQSfu bKmERwmI3X6SWefndl8yqg7Wl3trX789mEzHVKEJYFDf7M2O+XyiwMiiHx6lXaWE JibeefRXbheks558sKKi4QcmVMKWIItpxB0rBNMm9Rk0NVwK8npdLrVkPVpg9FVZ Y8XGtCY3wyrPCBA5fApybMdw4CW9QY+SO21bVLBayehdx758+kJ98GIyFZGq/h6x RT3UdnaYcY9CJjcBt269NHR+Rg0rPkTjwBRFsXpDXrxJWe1WkfWVTw== =P85/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to fix the user ID on an old key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Oskar L. wrote: Hello, I've got an old keypair, generated in 2003 with the current PGP version at that time. When I import the secret key, I get: gpg: key 75AC881F: no valid user IDs gpg: this may be caused by a missing self-signature I'm able to get the key to work in gpg, but is there any way to fix it, so that I can export it, delete it from the keyring, and re-import it, without getting that message? I've tried --allow-non-selfsigned-uid, but that doesn't seem to change the key, only the way gpg handles it (when exported it's still the same). Included below is the output from pgpdump, in case that's of any help. Re-import it from a keyserver, the copy on the SKS network has a valid self-sig... If that doesn't work, gpg --sign 0x75AC881F ... - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ0zeH7MAAH8MeUlWAQgaRgf/TQRw/pHUBVBaGrRNN2t1Ch+SnNbwRWeS IvDXXfNErNJGd5B8nMQkB6NdhJZfdGbs/6eP8/0Eq+zK/cvt4x+/amC2YsFzaA1T v28JmOxGaOV+jjimhbPtMdu7bRH3bxr2Trj/Kp/lD2pltTZ076ekvFiRawCWDxaq 7h00VqMvN1pe4VM1+qlyogen911Uh4J3UDqW8L8Lz1vIoEsFktRpV9kEW4ytdiUU Fi/cca1EpaCw9+S3L6lB8ZFJ0P/JRjOOTaANaY9DRP0u+YQJTFTJR1oyh3nhU7OD puugUUlqy87LtCp4mgFXM2TDTudTAQeizrZ7PG1HDX0S5ZsTE0BGOg== =CHyP -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Armor headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 lusfert wrote: Hello. How can I change text (not by manually editing) in armor headers (for example, Version:) or armor headers themselves (add, remove)? Will it affect compatibility with other applications? Can I put custom text into Version: in stage of exporting public key, making signatures, encrypting with ASCII output, etc.? Sometimes I do not wish that others will know what exactly OpenPGP implementation and OS I'm currently using. Well, you can use --no-emit-version and --no-comments... - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ0fOi7MAAH8MeUlWAQgy0gf8CBVH9VNb6dcDvGmmTrUrLn1u+pUShVPx CE32CP2ybfp2i3Rh9J7a6lCZSQQ1rnpjHL8Nk837S5c5ulIrszaZz/hdnl7RxE5w sjOMHbCMjIa0ahXfNGh0qki23wOCcEnFYvFWhBA+CzxDTixMm/EU9Y02Mnhcfn7g Cbaf9gF7nM1HGKpSQL6gRl+5TsUD3izROdbFRfuiq5exEPvarI9GO7i2oQ6aO8dW qehao982/QN0mOKrlcrWUQGS3WOVStJpaa3CTu3CJSVueYiE7Z3XkCIvg2AB11F5 21muISkpvf5TSnyy25rhSgm/MgJTBG+R/pa0Lwk9Hb8njgC8iR7a5w== =ROPu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Convert Sign Only Primary Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Klaus Fuerstberger wrote: Hi, a time ago I created a Sign Only DSA Key with an ElGamal Encrypt Subkey. Now I noticed that it is not possible to encrypt a message with PGP to this Public Key because PGP only sees the sign only primary Key and not the encrypting subkey. Must be a very old version of PGP... Ist there a possibility to convert the Sign Only primary Key to a Sign and Encrypt Key? It's not possible to use DSA keys for encryption. You can however generate RSA sign encrypt keys. Any other possibilitys to use this Key, so it is compatible with PGP? I'll cc: this to PGP-Basics @ yahoogroups; see what the people over there can dig up. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ0JTri/ia4ZoBgmdAQg0pQf/TU5I4Frw54QqJTd8EHYYhIBMqb5iCW2Y JUlrXJcSHQ3rOg5PbUlXL8RO1gq7oGIZN+4pm/fnxcFlZ/o+uMx9mKl4QQM9GL3T LXL2xgwPNlcHH9mU5sXZza/OfeXsPTar2axpeAKgrR16dzNYztLdgBCvjLrq6MdG 5XLdKeaGJecCOLrD8utUm4G9cSA5Z2hyqx6oVsF/bI60qQZhqQ5Bnwp/zpAKtNWI 535lFexUVVhNWxho7koakcAXBbrf1hHbZikUwxN68LroXHM3usFOyHB/hPedE9q2 zvuwcCiaky6P2A+fdRAujQUH5BnPe4p+dRITyjrbEh6NMsxU05EUfg== =BDNN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Convert Sign Only Primary Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Klaus Fuerstberger wrote: Alphax said the following on 10/04/05 12:04: a time ago I created a Sign Only DSA Key with an ElGamal Encrypt Subkey. Now I noticed that it is not possible to encrypt a message with PGP to this Public Key because PGP only sees the sign only primary Key and not the encrypting subkey. Must be a very old version of PGP... Maybe You missunderstand my procederes: $ gpg --gen-key Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only) Here I selected 2. After the key creation I did a: Command addkey Please select what kind of key you want: (2) DSA (sign only) (3) ElGamal (encrypt only) (4) RSA (sign only) (5) RSA (encrypt only) Here I selected 3. This key does not work with PGP5 for encryption. Only for signing. It may be that PGP 5 doesn't support ElGamal keys. Try adding an RSA subkey. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ0J757MAAH8MeUlWAQhZlggAjao1fhPEx4AHlDETCAHXAVTqMv6rZhJk PmU5oecEkk/IkS1JLXdacrpNzSl+1FUL3nSVYPdAUSq+ZQ8TEBdHnvhnKW8EjOaQ G7JIAEBW9xn6ctLEGkDGdPQYdsjB6dFuCmnjleQtLEsw6XE2VGDyRLBUPhpKG0Lq 66i2WtNK2T9+bh913jdQHMt2xpf86LAxAySAEZA7jYqh6mL2+SV5/+Lbkg1JRl3D SREiNFWPQENYpnUQ3vY0yrUR96AzbCR1ucRk7b7GtJjxnTaIT7kRpy9bCqXM1zHV x2G7xnDuWk1uiRyJkUlNGsuzOAIw4D/V4ei3EHkA1FMBMMKjmXxmFQ== =Ukir -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way to get smaller key sizes?
Laurent Jumet wrote: Hello ! Is there a way to check the signature below with GnuPG? snip S/MIME cert Possibly with GnuPG 1.9... I did some fiddling with the raw message, if you remove the MIME seperators inserted by mailman and replace them with the MIME lines in the original message (the Content-Type: line), you can make the signature show up (and indeed verify) with Thunderbird. However, the sheer size of the signature (the fact that the entire certificate is included with it) and the breakage that occurs with mailing lists continues to demonstrate the superiority of using OpenPGP :) -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two questions
John Clizbe wrote: Gary Graham wrote: snip Second: I have a Thawte Freemail certificate. I have Enigmail set to use it. How do I import it, or whatever, it into my GNUpg keyring? I see several have done it. How do I say It's more trouble than it's worth? You have to use PGP as an intermediate step. snip From my understanding of PKI, there's another way to do it, which is *even more* trouble than it's worth... Extract the raw key (as in, the really big number) form the X.509 cert and convert it into an OpenPGP key by taking a large bottle of your favourite alcoholic beverage, read the relevant RFCs while consuming about half of it, attempt to perform the conversion, and drink the rest of the alcoholic beverage when you realise how futile this is :) Or should I just go ahead and drink the whole bottle right away because I've gotten the procedure wrong in the first place? ;) -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
David Shaw wrote: On Sun, Sep 11, 2005 at 09:27:54PM +0200, Johan Wevers wrote: David Shaw wrote: I have sympathy for that argument, so wouldn't it be good to trace down where the sigs are entering the keyserver net, and ask whoever is doing it to stop? It seems like the obvious first step. Assuming this is possible at all. I don't know exctly what keyservers log, but I'd assume that making the links GD sig upload - IP address - email address is not trivial. It wasn't an idle suggestion. You can assume that I do, in fact, know that this is possible, or I wouldn't have suggested it. Why on earth an email address is relevant here I have no idea. You don't need anything more than the IP address. I made the suggestion as a challenge. The trace is not actually going to happen, as it is far, far more entertaining to complain and moan about the GD than it would be to see who is bridging the signatures. It has been suggested that automatically retrieving keys from keyservers can expose your IP to the keyserver manager, as all they have to do is generate a new key, send it to you, and wait until someone downloads that key... It seems likely that sigs from the GD are entering via one of two ways: firstly, individuals putting their keys on the global directory, and then sending their keys with GD sigs out to SKS keyservers; secondly, someone doing a 2-way synchronisation of their entire keyring with both the GD and the SKS network. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request
cdr wrote: MUS1876 wrote: Alphax wrote: I have friends who currently don't want to use PGP because they fear that their keys will be uploaded to a keyserver, and then they will be spammed forever more. I totally agree what friends of Alphax say. Wouldn't it be cute to have a sepcial option to flag both keys and subkeys as non exportable (uploadable) to keyservers? Speaking of myself at current, I also don't want to see any of my keys posted to a keyserver by someone else, be it on intention or not. The time is ripe for a GPG variant: (GPG-lean ?): a public key encryption utility with no built-in e-mail ties and no attempt whatsoever to incorporate the solution for the authentication problem. (For the majority of us, fingerprint-exchange-by-voice is more perfectly adequate). Ciphersaber? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Zeljko Vrba wrote: Pawel Shajdo wrote: I think this is public more keyservers design problem than GD. Keyserver should accept new signatures only from key owner. Hm, maybe to define a key upload format which must be signed with the uploaded key itself (analogon of PKCS#10)? Of course, the public key itself should have some flag set to signed upload only so that the server doesn't accept it without the corresponding signature. However, the keyserver would then have to verify the signature of the uploading key... how much of an extra burden would this be? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Zeljko Vrba wrote: Alphax wrote: However, the keyserver would then have to verify the signature of the uploading key... how much of an extra burden would this be? In what way extra burden? Computationally (CPU), programming complexity, or...? Computationally - it would be done only oncem on key upload. It is not really an expensive operation - the same as verifying a GPG signature. And I think that modern servers have much spare CPU time.. I don't suppose any keyserver operators could tell us the specs on their machines... -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
Johan Wevers wrote: Alphax wrote: Removing duplicated signatures however would probably have little impact, assuming you are removing only the newest ones Don't you mean keeping the newst ones? Er, yes. However as David Shaw pointed out further down the thread, there's no safe way to do so without validating the signatures first. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
David Shaw wrote: On Fri, Sep 09, 2005 at 11:02:56AM +0200, Johan Wevers wrote: David Shaw wrote: I'd be all in favor of an option where users could elect to filter out keys: that would put the user in control. Forcing your decision on others by stripping signatures is a very disturbing step. Considering the behaviour of the GD, I'd say it's also a practical issue about resources: if it keeps signing keys like this, an SKS server might well be in need of seriously more hardware than it is now. Someone's got to pay for that, amd I don't think all keyserver maintainers want to. I have sympathy for that argument, so wouldn't it be good to trace down where the sigs are entering the keyserver net, and ask whoever is doing it to stop? It seems like the obvious first step. Well, I don't know *where* they are coming from, but I (and the kind soul who worked it out and told me) know think we know *how* it's being done. And unfortunately, it's very easy (too easy!) to do, especially for someone with a high-speed internet connection. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP global directory cruft in keyservers
David Shaw wrote: On Tue, Sep 06, 2005 at 01:36:37PM -0500, John Clizbe wrote: Kurt Fitzner wrote: snip gpg --edit-key keyID clean And setting the clean-sigs and clean-uids options on import-options, export-options, and keyserver-options are our only defense until then. Like you, I refreshed from a SKS server and found 120 new sigs on my key, ALL PGP Universal Keyserver. To my knowledge, the PGP GD doesn't sync with anyone. It would be interesting to know how/where these signatures are leaking into the keyserver net. Probably some PGP users who are automagically synchronising their entire keyrings with multiple keyservers, leaking keys that their owners would rather not have on the keyservers in the process :( -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Alon Bar-Lev wrote: David Picon Alvarez wrote: I dropped all stuff regarding the differences using API and communication... I think you are wrong, there is exception for the rules... I try now to contact FSF for a formal position. The lawyer who wrote GPL wrote it with the explicit intent to incentive programmers to write free software and keep software free. Allowing linkage to or from NON-GPL code is generally considered to be counterproductive for the purposes stated. Here is what you imply... And it is so sad that I want to cry :-( On Microsoft platform, there is an API called CryptoAPI which is provided as part of the operating system. This API uses CSPs (Cryptographic Service Providers) that is provided by the smart card vendors. You trust the Microsoft CryptoAPI? Well why don't you just run Windows, which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in the CryptoAPI? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Werner Koch wrote: On Tue, 06 Sep 2005 19:35:34 +0200, Zeljko Vrba said: As Alon did remark earlier, the general movement in the industry is towards multi-purpose smart-cards. OpenPGP card currently doesn't fall into this category. Not true. The OpenPGP card specification is a card application and you may put as many other applications on a card as you like and the EEPROM allows to. With 6k (and even less possible) it is actually a pretty small application. Um... slightly OT, but... 1. What's the standard size of the EEPROM on a smartcard suitable for OpenPGP? 2. What else could you fit on such a card? 3. Is it possible to have multiple things on a smartcard without them conflicting? Thanks, -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Peter Gutmann wrote: Alphax [EMAIL PROTECTED] writes: Zeljko Vrba wrote: Joe Smith wrote: For example, your CA can revoke your key leaving you with one key that is invalid X.509, but valid OpenPGP? Yuck! Using the X.509 cert and OpenPGP public key (having the same private key) could be useful in the following scenario: Is that even allowed?? SPENGLER (emphatic): Don't cross PGP and X.509. VENKMAN: Why not? SPENGLER: Trust me. It will be bad. VENKMAN: What do you mean bad? SPENGLER: It's hard to explain, but try to imagine Werner appearing suddenly and beating you to death with a large copy of the GNU manifesto. VENKMAN (with military authority): That's it! No X.509. You guys are dangerous. Wait, where's Richard Stallman in all of this? :) -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Alon Bar-Lev wrote: Alphax wrote: The only place in the GPL where libraries are mentioned is in reference to the LGPL. Using the Microsoft CryptoAPI doesn't appear to be legal; AFAICT, this is similar to the reason why Enigmail insists on GPG instead of being able to interface with PGP on Windows systems. So you say that it is illeagal to run GPL software on windows or on AIX... It also make no sense... Since it is... No, I'm saying that a GPL program (Enigmail) can't interface with a proprietary application (PGP) but has to interface with a GPL application (GnuPG). I'm not sure how interfacing with such a program or library through a pipe would affect the situation. IANAL. -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Janusz A. Urbanowicz wrote: On Tue, Sep 06, 2005 at 11:48:45PM +0930, Alphax wrote: The application is free to do whatever it wants with these objects, given sufficient authentication to the card (PIN). Technically, there is nothing CA can do to prevent you to use your X.509 keys as OpenPGP keys. I think I might have seen something like that with a Thawte Freemail root certificate or something... it wasn't pretty :( When Thawte signed PGP keys as a part of Web Of Trust program, they used the same key in both OpenPGP and X.509 form. Why you say it wasnt pretty? An actual RSA modulus is well hidden within the stuff so it doesn't really matter. They converted the same key several times, so there were 3 or so keys with the same long fingerprint, but different creation times - multiple copies of the same key. Is it possible to arbitrarily make an OpenPGP key with whatever keypair? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users